Vulnerability CVE-2019-9936: Information

Description

In SQLite 3.27.2, running fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c, which may lead to an information leak. This is related to ext/fts5/fts5_hash.c.

Severity: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2019-9936
Published: March 22, 2019
Modified: Nov. 7, 2023
Error type identifier: CWE-125

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
sqlite3sisyphus3.28.0-alt13.44.2-alt1ALT-PU-2019-1971-1231334Fixed
sqlite3p103.28.0-alt13.35.5-alt1.p10.1ALT-PU-2019-1971-1231334Fixed
sqlite3p93.28.0-alt13.33.0-alt1ALT-PU-2019-2336-1235070Fixed
sqlite3c10f13.28.0-alt13.35.5-alt1.p10.1ALT-PU-2019-1971-1231334Fixed
sqlite3c9f23.28.0-alt13.36.0-alt2ALT-PU-2019-2336-1235070Fixed
sqlite3p113.28.0-alt13.44.2-alt1ALT-PU-2019-1971-1231334Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://sqlite.org/src/info/b3fa58dd7403dbd4
  • Patch
  • Vendor Advisory
107562
  • Third Party Advisory
  • VDB Entry
https://security.netapp.com/advisory/ntap-20190416-0005/
  • Third Party Advisory
openSUSE-SU-2019:1372
    USN-4019-1
      GLSA-201908-09
        https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
          https://www.oracle.com/security-alerts/cpujan2020.html
            [debian-lts-announce] 20200822 [SECURITY] [DLA 2340-1] sqlite3 security update
              https://www.mail-archive.com/sqlite-users%40mailinglists.sqlite.org/msg114382.html
                https://www.mail-archive.com/sqlite-users%40mailinglists.sqlite.org/msg114394.html
                  FEDORA-2019-8641591b3c
                    FEDORA-2019-a01751837d

                        1. Configuration 1

                          cpe:2.3:a:sqlite:sqlite:3.27.2:*:*:*:*:*:*:*
                      VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
                      Version: v24.5.3
                      Back to top